If you prefer to use different new Keystore for remote picos, follow these steps.
Execution Context
First, ensure that the keystore property is set in your platform container as a result of enabling one-way SSL on RCP. Refer Enable One-way SSL On RCP.
Code Block "pico.rcp.tls.keystore"="/opt/mz/keys/keystore.p12"
Create a Keystore and Key Pair on Each Execution Container:
For each Execution Container, generate a keystore and a key pair (private key and corresponding public certificate). This keystore will store the private key and the certificate.
Export the Certificates from Execution Containers:
For each Execution Container, export the public certificate from its keystore.
Run the following command to export the Execution Container public certificate:
Code Block language text $ keytool -keystore <path_to_ec_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>
For example, in the Execution Container, the created keystore file is
eckeystore.p12
. Run this command to export the Execution Container's public certificate to a file namedec_pubcert.pem
.Code Block $ keytool -keystore eckeystore.p12 -export -rfc -alias ec -file ec_pubcert.pem
Import the Execution Container Certificates to the Platform Container:
Import the exported certificates from each Execution Container into the Platform Container's truststore. This allows the Platform Container to trust each Execution Container.
Copy the Execution Container’s public certificate to Platform container.
Run the following command to import the Execution Container’s public certificate into the Platform keystore set in
pico.rcp.tls.keystore
:Code Block language text $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>
For example, the Platform keystore set in the property
pico.rcp.tls.keystore
is$MZ_HOME/keys/keystore.p12
. Set the alias name to 'ec'.Code Block keytool -import -alias ec -file ec_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin
Run this command to view the keystore.
Code Block $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin
You should see two entries:
alias 1
is the Platform keystore (PrivateKeyEntry), andalias ec
is the Execution Container keystore (trustedCertEntry).
Export the Platform Container Certificate:
Export the public certificate from the Platform Container's keystore.
Run the following command to export the Platform Container public certificate:
Code Block language text $ keytool -keystore <path_to_platform_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>
For example, in the Platform Container, the created keystore file is
keystore.p12
. Run this command to export the Platform Container's public certificate to a file namedplatform_pubcert.pem
.Code Block $ keytool -keystore keystore.p12 -export -rfc -alias 1 -file platform_pubcert.pem
Import the Platform Container Certificate to Execution Containers:
Import the exported Platform Container certificate into the truststore of each Execution Container. This allows the Execution Containers to trust the Platform Container.
Copy the Platform public certificate to Execution container.
Run the following command to import Platform public certificate:
Code Block $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>
For example, the Execution Container keystore saved in location
$MZ_HOME/keys/keystore.p12
. Set the alias name to '1'.Code Block $ keytool -import -alias 1 -file platform_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin
Run this command to view the keystore.
Code Block $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin
You should see two entries:
alias ec
is the Execution Container keystore (PrivateKeyEntry), andalias 1
is the Platform Container keystore (trustedCertEntry).
Set the RCP TLS properties in the Execution Container:
Use
mzsh topo set
to set these properties:Code Block $ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \ '{ keystore=<keystore path> }' $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \ <encrypted password> $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \ <encrypted password>
Example,
Code Block $ mzsh topo set 'topo://container:echost01/obj:common.pico.rcp.tls' \ '{ keystore="/opt/mz/keys/eckeystore.p12" }' $ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.keystore.password"' \ 'DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86' $ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.key.password"' \ 'DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86' $ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.keystore.alias"' \ 1
Note that "pico.rcp.tls.keystore.alias" must be the alias name of the Execution Container keystore’s PrivateKeyEntry.
For example,
Code Block pico.rcp.tls.keystore="/opt/mz/keys/keystore.p12" "pico.rcp.tls.keystore.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86" "pico.rcp.tls.key.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86" "pico.rcp.tls.keystore.alias"="ec"
In Platform Container, enable client authentication by setting the property
pico.rcp.tls.require_clientauth
totrue
.Code Block $ mzsh topo set topo://container:<platform container>/val:common.pico.rcp.tls.require_clientauth true
Example,
Code Block mzsh topo set topo://container:platform/val:common.pico.rcp.tls.require_clientauth true
Run
mzsh topo open container
to see the property:Code Block pico.rcp.tls.require_clientauth="true"
Restart the Platform, followed by restarting the ECs.
Info |
---|
If the Platform property |
Legacy Desktop
When client authentication is enabled, each desktop installation must authenticate itself to the Platform using a private key. Desktop can use the same Keystore file from Platform Container.
...
Copy the keystore file created above to the host where the Desktop Launcher will be run.
Copy the certificate file created above to Platform Container.
Import the certificate to the platform.
Code Block $ keytool -keystore <path_to_platform_keystore-file> -import -file <certificate filename> -alias <alias>
For example, this command import certificate to Platform keystore.
Code Block $ keytool -keystore $MZ_HOME/keys/keystore.p12 -import -file clientcert.cer -alias clientcert
If you view the keystore, you should see the entry of alias clientcert
which is the Client desktop keystore (trustedCertEntry).
Open the Desktop Launcher.
Right-click on a MediationZone instance and then select Instance Settings from the popup menu. Select the Security tab.
Right-click on the text field under Client Key and select Import Key From File.
Select the keystore file from step 1 and Click Open.
Enter Keystore password and click OK to add into Client Key.
Click OK to close the Security tab and proceed with Login.
Scroll ignore | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
|